diff src/imap-login/client-authenticate.c @ 2733:9b9d9c164a31 HEAD

Login process cleanups. Share more authentication code between pop3/imap.
author Timo Sirainen <tss@iki.fi>
date Mon, 11 Oct 2004 20:14:26 +0300
parents f1e9f3ec8135
children e2ce951fa8e6
line wrap: on
line diff
--- a/src/imap-login/client-authenticate.c	Mon Oct 11 17:29:51 2004 +0300
+++ b/src/imap-login/client-authenticate.c	Mon Oct 11 20:14:26 2004 +0300
@@ -11,14 +11,8 @@
 #include "str-sanitize.h"
 #include "imap-parser.h"
 #include "auth-client.h"
-#include "ssl-proxy.h"
 #include "client.h"
 #include "client-authenticate.h"
-#include "auth-common.h"
-#include "master.h"
-
-/* Used only for string sanitization while verbose_auth is set. */
-#define MAX_MECH_NAME 64
 
 const char *client_authenticate_get_capabilities(int secured)
 {
@@ -45,214 +39,6 @@
 	return str_c(str);
 }
 
-static void client_auth_abort(struct imap_client *client, const char *msg)
-{
-	client->authenticating = FALSE;
-
-	if (client->common.auth_request != NULL) {
-		auth_client_request_abort(client->common.auth_request);
-		client->common.auth_request = NULL;
-	}
-
-	if (msg != NULL && verbose_auth)
-		client_syslog(client, "Authentication failed: %s", msg);
-
-	client_send_tagline(client, msg != NULL ?
-			    t_strconcat("NO ", msg, NULL) :
-			    "NO Authentication failed.");
-
-	/* get back to normal client input */
-	if (client->common.io != NULL)
-		io_remove(client->common.io);
-	client->common.io = client->common.fd == -1 ? NULL :
-		io_add(client->common.fd, IO_READ, client_input, client);
-
-	client_unref(client);
-}
-
-static void master_callback(struct client *_client, int success)
-{
-	struct imap_client *client = (struct imap_client *) _client;
-	const char *reason = NULL;
-
-	if (success) {
-		reason = t_strconcat("Login: ", client->common.virtual_user,
-				     NULL);
-	} else {
-		reason = t_strconcat("Internal login failure: ",
-				     client->common.virtual_user, NULL);
-		client_send_line(client, "* BYE Internal login failure. "
-				 "Error report written to server log.");
-	}
-
-	client_destroy(client, reason);
-}
-
-static void client_send_auth_data(struct imap_client *client,
-				  const unsigned char *data, size_t size)
-{
-	buffer_t *buf;
-	const void *buf_data;
-	size_t buf_size;
-	ssize_t ret;
-
-	t_push();
-
-	buf = buffer_create_dynamic(pool_datastack_create(), size*2);
-	buffer_append(buf, "+ ", 2);
-	base64_encode(data, size, buf);
-	buffer_append(buf, "\r\n", 2);
-
-	buf_data = buffer_get_data(buf, &buf_size);
-	if ((ret = o_stream_send(client->output, buf_data, buf_size)) < 0)
-		client_destroy(client, "Disconnected");
-	else if ((size_t)ret != buf_size)
-		client_destroy(client, "Transmit buffer full");
-
-	t_pop();
-}
-
-static void login_callback(struct auth_request *request,
-			   struct auth_client_request_reply *reply,
-			   const unsigned char *data, void *context)
-{
-	struct imap_client *client = context;
-	const char *error;
-
-	switch (auth_callback(request, reply, data, &client->common,
-			      master_callback, &error)) {
-	case -1:
-	case 0:
-		/* login failed */
-		client_auth_abort(client, error);
-		break;
-
-	default:
-		/* success, we should be able to log in. if we fail, just
-		   disconnect the client. */
-                client->authenticating = FALSE;
-		client_send_tagline(client, "OK Logged in.");
-		client_unref(client);
-	}
-}
-
-static enum auth_client_request_new_flags
-client_get_auth_flags(struct imap_client *client)
-{
-        enum auth_client_request_new_flags auth_flags = 0;
-
-	if (client->common.proxy != NULL &&
-	    ssl_proxy_has_valid_client_cert(client->common.proxy))
-		auth_flags |= AUTH_CLIENT_FLAG_SSL_VALID_CLIENT_CERT;
-	if (client->tls)
-		auth_flags |= AUTH_CLIENT_FLAG_SSL_ENABLED;
-	return auth_flags;
-}
-
-int cmd_login(struct imap_client *client, struct imap_arg *args)
-{
-	const char *user, *pass, *error;
-	struct auth_request_info info;
-	string_t *plain_login;
-
-	/* two arguments: username and password */
-	if (args[0].type != IMAP_ARG_ATOM && args[0].type != IMAP_ARG_STRING)
-		return FALSE;
-	if (args[1].type != IMAP_ARG_ATOM && args[1].type != IMAP_ARG_STRING)
-		return FALSE;
-	if (args[2].type != IMAP_ARG_EOL)
-		return FALSE;
-
-	user = IMAP_ARG_STR(&args[0]);
-	pass = IMAP_ARG_STR(&args[1]);
-
-	if (!client->secured && disable_plaintext_auth) {
-		if (verbose_auth) {
-			client_syslog(client, "Login failed: "
-				      "Plaintext authentication disabled");
-		}
-		client_send_line(client,
-			"* BAD [ALERT] Plaintext authentication is disabled, "
-			"but your client sent password in plaintext anyway. "
-			"If anyone was listening, the password was exposed.");
-		client_send_tagline(client,
-				    "NO Plaintext authentication disabled.");
-		return TRUE;
-	}
-
-	/* authorization ID \0 authentication ID \0 pass */
-	plain_login = t_str_new(64);
-	str_append_c(plain_login, '\0');
-	str_append(plain_login, user);
-	str_append_c(plain_login, '\0');
-	str_append(plain_login, pass);
-
-	memset(&info, 0, sizeof(info));
-	info.mech = "PLAIN";
-	info.protocol = "IMAP";
-	info.flags = client_get_auth_flags(client);
-	info.local_ip = client->common.local_ip;
-	info.remote_ip = client->common.ip;
-	info.initial_resp_data = str_data(plain_login);
-	info.initial_resp_size = str_len(plain_login);
-
-	client_ref(client);
-
-	client->common.auth_request =
-		auth_client_request_new(auth_client, NULL, &info,
-					login_callback, client, &error);
-	if (client->common.auth_request == NULL) {
-		if (verbose_auth)
-			client_syslog(client, "Login failed: %s", error);
-		client_send_tagline(client, t_strconcat(
-			"NO Login failed: ", error, NULL));
-		client_unref(client);
-		return TRUE;
-	}
-
-	/* don't read any input from client until login is finished */
-	if (client->common.io != NULL) {
-		io_remove(client->common.io);
-		client->common.io = NULL;
-	}
-
-	client->authenticating = TRUE;
-	return TRUE;
-}
-
-static void authenticate_callback(struct auth_request *request,
-				  struct auth_client_request_reply *reply,
-				  const unsigned char *data, void *context)
-{
-	struct imap_client *client = context;
-	const char *error;
-
-	if (!client->authenticating) {
-		/* client aborted */
-		i_assert(reply == NULL);
-		return;
-	}
-
-	switch (auth_callback(request, reply, data, &client->common,
-			      master_callback, &error)) {
-	case -1:
-		/* login failed */
-		client_auth_abort(client, error);
-		break;
-
-	case 0:
-		/* continue */
-		client_send_auth_data(client, data, reply->data_size);
-		break;
-	default:
-		/* success, we should be able to log in. if we fail, just
-		   disconnect the client. */
-                client->authenticating = FALSE;
-		client_send_tagline(client, "OK Logged in.");
-		client_unref(client);
-	}
-}
-
 static void client_auth_input(void *context)
 {
 	struct imap_client *client = context;
@@ -276,7 +62,8 @@
 		return;
 
 	if (strcmp(line, "*") == 0) {
-		client_auth_abort(client, "Authentication aborted");
+		sasl_server_auth_cancel(&client->common,
+					"Authentication aborted");
 		return;
 	}
 
@@ -285,13 +72,13 @@
 
 	if (base64_decode(line, linelen, NULL, buf) < 0) {
 		/* failed */
-		client_auth_abort(client, "Invalid base64 data");
+		sasl_server_auth_cancel(&client->common, "Invalid base64 data");
 	} else if (client->common.auth_request == NULL) {
-		client_auth_abort(client, "Don't send unrequested data");
+		sasl_server_auth_cancel(&client->common,
+					"Don't send unrequested data");
 	} else {
 		auth_client_request_continue(client->common.auth_request,
-					     buffer_get_data(buf, NULL),
-					     buffer_get_used_size(buf));
+					     buf->data, buf->used);
 	}
 
 	/* clear sensitive data */
@@ -301,75 +88,142 @@
 	safe_memset(buffer_free_without_data(buf), 0, bufsize);
 }
 
+static void sasl_callback(struct client *_client, enum sasl_server_reply reply,
+			  const char *data)
+{
+	struct imap_client *client = (struct imap_client *)_client;
+	struct const_iovec iov[3];
+	size_t data_len;
+	ssize_t ret;
+
+	switch (reply) {
+	case SASL_SERVER_REPLY_SUCCESS:
+		client_send_tagline(client, "OK Logged in.");
+		client_destroy(client, t_strconcat(
+			"Login: ", client->common.virtual_user, NULL));
+		break;
+	case SASL_SERVER_REPLY_AUTH_FAILED:
+		if (data == NULL)
+			client_send_tagline(client, "Authentication failed");
+		else {
+			client_send_tagline(client, t_strconcat(
+				"NO Authentication failed: ", data, NULL));
+		}
+
+		/* get back to normal client input. */
+		if (client->io != NULL)
+			io_remove(client->io);
+		client->io = io_add(client->common.fd, IO_READ,
+				    client_input, client);
+		break;
+	case SASL_SERVER_REPLY_MASTER_FAILED:
+		client_send_line(client, "* BYE Internal login failure. "
+				 "Error report written to server log.");
+		client_destroy(client, t_strconcat("Internal login failure: ",
+						   client->common.virtual_user,
+						   NULL));
+		break;
+	case SASL_SERVER_REPLY_CONTINUE:
+		data_len = strlen(data);
+		iov[0].iov_base = "+ ";
+		iov[0].iov_len = 2;
+		iov[1].iov_base = data;
+		iov[1].iov_len = data_len;
+		iov[2].iov_base = "\r\n";
+		iov[2].iov_len = 2;
+
+		ret = o_stream_sendv(client->output, iov, 3);
+		if (ret < 0)
+			client_destroy(client, "Disconnected");
+		else if ((size_t)ret != 2 + data_len + 2)
+			client_destroy(client, "Transmit buffer full");
+		else {
+			/* continue */
+			return;
+		}
+		break;
+	}
+
+	client_unref(client);
+}
+
 int cmd_authenticate(struct imap_client *client, struct imap_arg *args)
 {
-	const struct auth_mech_desc *mech;
-	const char *mech_name, *error;
-	struct auth_request_info info;
+	const char *mech_name;
 
 	/* we want only one argument: authentication mechanism name */
 	if (args[0].type != IMAP_ARG_ATOM && args[0].type != IMAP_ARG_STRING)
-		return FALSE;
+		return -1;
 	if (args[1].type != IMAP_ARG_EOL)
-		return FALSE;
+		return -1;
 
 	mech_name = IMAP_ARG_STR(&args[0]);
 	if (*mech_name == '\0')
 		return FALSE;
 
-	mech = auth_client_find_mech(auth_client, mech_name);
-	if (mech == NULL) {
+	client_ref(client);
+	sasl_server_auth_begin(&client->common, "IMAP", mech_name, NULL, 0,
+			       sasl_callback);
+	if (!client->common.authenticating)
+		return 1;
+
+	/* following input data will go to authentication */
+	if (client->io != NULL)
+		io_remove(client->io);
+	client->io = io_add(client->common.fd, IO_READ,
+			    client_auth_input, client);
+	return 0;
+}
+
+int cmd_login(struct imap_client *client, struct imap_arg *args)
+{
+	const char *user, *pass;
+	string_t *plain_login;
+
+	/* two arguments: username and password */
+	if (args[0].type != IMAP_ARG_ATOM && args[0].type != IMAP_ARG_STRING)
+		return -1;
+	if (args[1].type != IMAP_ARG_ATOM && args[1].type != IMAP_ARG_STRING)
+		return -1;
+	if (args[2].type != IMAP_ARG_EOL)
+		return -1;
+
+	user = IMAP_ARG_STR(&args[0]);
+	pass = IMAP_ARG_STR(&args[1]);
+
+	if (!client->common.secured && disable_plaintext_auth) {
 		if (verbose_auth) {
-			client_syslog(client, "Authenticate %s failed: "
-				      "Unsupported mechanism",
-				      str_sanitize(mech_name, MAX_MECH_NAME));
+			client_syslog(&client->common, "Login failed: "
+				      "Plaintext authentication disabled");
 		}
-		client_send_tagline(client,
-				    "NO Unsupported authentication mechanism.");
-		return TRUE;
-	}
-
-	if (!client->secured && mech->plaintext && disable_plaintext_auth) {
-		if (verbose_auth) {
-			client_syslog(client, "Authenticate %s failed: "
-				      "Plaintext authentication disabled",
-				      str_sanitize(mech_name, MAX_MECH_NAME));
-		}
+		client_send_line(client,
+			"* BAD [ALERT] Plaintext authentication is disabled, "
+			"but your client sent password in plaintext anyway. "
+			"If anyone was listening, the password was exposed.");
 		client_send_tagline(client,
 				    "NO Plaintext authentication disabled.");
-		return TRUE;
+		return 1;
 	}
 
-	memset(&info, 0, sizeof(info));
-	info.mech = mech->name;
-	info.protocol = "IMAP";
-	info.flags = client_get_auth_flags(client);
-	info.local_ip = client->common.local_ip;
-	info.remote_ip = client->common.ip;
+	/* authorization ID \0 authentication ID \0 pass */
+	plain_login = buffer_create_dynamic(pool_datastack_create(), 64);
+	buffer_append_c(plain_login, '\0');
+	buffer_append(plain_login, user, strlen(user));
+	buffer_append_c(plain_login, '\0');
+	buffer_append(plain_login, pass, strlen(pass));
 
 	client_ref(client);
-	o_stream_uncork(client->output);
+	sasl_server_auth_begin(&client->common, "IMAP", "PLAIN",
+			       plain_login->data, plain_login->used,
+			       sasl_callback);
+	if (!client->common.authenticating)
+		return 1;
 
-	client->common.auth_request =
-		auth_client_request_new(auth_client, NULL, &info,
-					authenticate_callback, client, &error);
-	if (client->common.auth_request != NULL) {
-		/* following input data will go to authentication */
-		if (client->common.io != NULL)
-			io_remove(client->common.io);
-		client->common.io = io_add(client->common.fd, IO_READ,
-					   client_auth_input, client);
-                client->authenticating = TRUE;
-	} else {
-		if (verbose_auth) {
-			client_syslog(client, "Authenticate %s failed: %s",
-				      str_sanitize(mech_name, MAX_MECH_NAME),
-				      error);
-		}
-		client_send_tagline(client, t_strconcat(
-			"NO Authentication failed: ", error, NULL));
-		client_unref(client);
+	/* don't read any input from client until login is finished */
+	if (client->io != NULL) {
+		io_remove(client->io);
+		client->io = NULL;
 	}
 
-	return TRUE;
+	return 0;
 }